b'          Pen\n            nsion Benefit\n                  B       Guaran\n                          G    nty Corrporatio\n                                             on\n                Office\n                     e of Ins\n                            specto\n                                 or Gen\n                                      neral\n                         Aud\n                           dit Repo\n                                  ort\n\n\n\n\n     Inc\n       creased Oversigght, Inte\n                              ernal Co\n                                     ontrols a\n                                             and Perfformancce\n     Ac\n      ccountab\n             bility Ne\n                     eeded for PBGC\xe2\x80\x99s Monittoring, E Enforcin\n                                                            ng\n         and Modifyin\n             M        g Negottiated Fuunding AAgreements\n\n\n\n\n                         Marc\n                            ch 21, 20\n                                    014\n                                           AU\n                                            UDIT-2014-88/PA-11-80\n\n\n\t\xc2\xa0\n\x0c\x0cExecutive Summary\nThe Pension Benefit Guaranty Corporation (PBGC) operated its negotiated funding agreement\nactivity without clearly defined objectives or documented operating procedures. The\nCorporation views each agreement as a unique negotiation and lacked a programmatic view of\nthe activity. As a result, the Corporation operated the agreements with a variable approach\nwhich lacked consistent standards, internal controls, and meaningful evaluation of the\nagreements over time.\n\nPBGC publicly reports obtaining millions of dollars in protections for pension plans annually\nthrough negotiated funding agreements (hereafter agreements). Underfunded pension plans\npresent an increased risk to PBGC and plan participants, and PBGC reports that the agreements\ncounteract risk to pension plans and reduce the Corporation\xe2\x80\x99s potential liability by providing\nincreased funding for pension plans.\n\nThe PBGC Office of Inspector General (OIG) conducted an audit to review the effectiveness of\nPBGC\xe2\x80\x99s processes for monitoring, enforcing and modifying agreements, as well as an assessment\nof internal controls, transparency, and overall accountability. We also reviewed PBGC\xe2\x80\x99s use of\ninformation technology in its processes and how PBGC protects sensitive information entrusted\nto it. This review encompassed agreements in effect between FY 2000 and FY 2012.\n\nProgrammatic weaknesses were identified in PBGC processes for monitoring, enforcing,\nmodifying and controlling agreements. PBGC had not established uniform guidelines. Since\nPBGC management views each plan sponsor agreement as a unique negotiation, at the time of\nour review, PBGC had not adopted a consistent and centrally managed practice with effective\ninternal controls, defined business processes, and documented guidelines.\n\nPBGC demonstrated a lack of full transparency and accountability when reporting the face value\nof agreements and secured funding. The Corporation did not similarly track, analyze or routinely\nannounce the actual outcome of the agreements, which might include significant, although rare,\nmodifications and reductions in contributions. PBGC management consistently stated that the\nsuccess of the agreements is based upon getting additional protections for pension plans.\nHowever, PBGC could not provide evidence they ever quantified or valued this measure of\nsuccess against any concessions the Corporation made as part of the agreements.\n\nPBGC monitored, enforced and modified agreements with inadequate performance metrics.\nAccording to data PBGC provided for Fiscal Year (FY) 2000 to FY 2012, the agency had 221\nagreements in effect valued at more than $7.8 billion. However, we determined the Corporation\nhad not cumulatively tracked the amount of protections actually achieved through the\nagreements. PBGC management did not effectively ensure processes, controls and\nresponsibilities were fully developed, documented, functioning and reviewed. And, PBGC did\nnot consistently obtain adequate documented assurance that agreement payments were fulfilled\n\n\ni                                                                     AUD-2014-8/PA-11-80\n\x0caccording to terms. As a result, realized contributions under the agreements could not be\naccurately tracked and analyzed, and the Corporation did not know the actual amount of\nprotections achieved under the terms of the agreements in our scope.\n\nTeamConnect, the system used to track the negotiated funding agreements, did not have adequate\naccess controls. Additionally, user access was not restricted on a need-to-know basis. As a\nresult, sensitive proprietary information entrusted to PBGC is exposed to risk.\n\nDue to our audit work, PBGC has made progress and developed written procedures for\nmonitoring the agreements. The procedures provide a framework for monitoring and\nidentification of some key documents in the process, such as Settlement Recommendation\nMemos. Work is still required to develop more comprehensive procedures for enforcement and\nmodification. PBGC procured a contractor to assist with defining its business processes and\ndeveloping procedures. The Corporation\'s new procedures were implemented during the latter\npart of our field work. The procedures have not been in effect long enough to determine their\neffectiveness, therefore, the findings and recommendations will remain.\n\n\n\n\nii                                                                      AUD-2014-8/PA-11-80\n\x0cTable of Contents\nBackground ..................................................................................................................................... 1\nObjectives, Scope and Methodology .............................................................................................. 4\nFindings and Recommendations ..................................................................................................... 6\n      Section A - PBGC should develop a programmatic approach with consistent management and\n      internal controls for their processes of monitoring, enforcing, and modifying negotiated\n      funding agreements. .................................................................................................................... 6\n         Finding 1: During our audit period, we determined that PBGC had not developed\n         overarching policies and procedures for monitoring, enforcing and modifying the\n         agreements. .............................................................................................................................. 6\n         Recommendation 1: Define, establish and implement a consistently managed program .... 11\n         Recommendation 2: Train applicable staff in newly developed processes .......................... 11\n         Recommendation 3: Establish policies, procedures and controls which ensure that key\n         decisions made in PBGC meetings are adequately recorded ................................................ 11\n         Finding 2: PBGC\xe2\x80\x99s performance measures did not successfully assess the effectiveness of\n         negotiated funding agreements. ............................................................................................. 11\n         Recommendation 4: Establish performance measures which reflect the effectiveness of the\n         program and reevaluate data from the negotiated funding agreements ................................. 14\n         Finding 3: PBGC lacked adequate structure for effective records management relating to\n         negotiated funding agreements. ............................................................................................. 15\n         Recommendation 5: Ensure that TeamConnect procedures adequately incorporate federal\n         guidance and PBGC policies and procedures for records management ................................ 18\n         Recommendation 6: Perform and document annual records management reviews ............. 18\n         Finding 4: PBGC reporting of agreement information lacked transparency, standard\n         procedures and coordination.................................................................................................. 18\n         Recommendation 7: Ensure policies implemented incorporate guidelines to promote\n         transparency ........................................................................................................................... 20\n      Section B \xe2\x80\x93 PBGC\xe2\x80\x99s TeamConnect Application used to track the negotiated funding\n      agreements does not have adequate access controls. ................................................................ 20\n         Finding 5: TeamConnect does not have adequate access controls. .................................... 20\n         Recommendation 8: Establish roles within TeamConnect ................................................... 22\n      Appendix A: Agreements Announced by PBGC by Calendar Year ......................................... 23\n      Appendix B: Number of Documents in TeamConnect by Plan Sponsor ................................. 24\n      Appendix C: Amount of Protections Announced by PBGC .................................................... 25\n      Appendix D: Comments from the Pension Benefit Guaranty Corporation ............................. 26\n\niii                                                                                                             AUD-2014-8/PA-11-80\n\x0cBackground and Objectives\nBackground\n\n\nPBGC is a Federal government corporation established under Title IV of the Employee\nRetirement Income Security Act of 1974 (ERISA), as amended, 29 USC \xc2\xa7 \xc2\xa7 1301-1461 (ERISA\nsections 4001-4402). PBGC\xe2\x80\x99s mission is to encourage the continuation and maintenance of\nprivate-sector defined benefit pension plans, provide timely and uninterrupted payment of\npension benefits, and keep the insurance premiums at a minimum. 1 Through its single-employer\nand multiemployer programs, PBGC protects the pensions of approximately 42 million workers\nand retirees in more than 25 thousand pension plans. Under section 4022(b) of ERISA, these\npension plans ensure a specified monthly retirement benefit, usually based on salary or a stated\ndollar amount and years of service. 2\n\nPBGC receives no funds from general tax revenues and receives financing through insurance\npremiums paid by plan sponsors that support defined benefit pension plans, by investment\nincome and assets from terminated plans. PBGC has been in a deficit position (liabilities in\nexcess of assets) for a number of years. Inadequate minimum contributions, inadequate\ninsurance premiums, employer shift from defined benefit pension plans to defined contribution\npension plans and insufficient funding of terminated plans are factors contributing to PBGC\xe2\x80\x99s\ndeficit position. As of September 30, 2013, PBGC reported in its financial statements net deficit\npositions in the Single-Employer and Multiemployer Program Funds of approximately $27.4\nbillion and $8.3 billion, respectively. PBGC has been able to meet its short term obligations;\nhowever, PBGC management believes that neither program at present has the resources to fully\nsatisfy PBGC\'s long-term obligations to plan participants.\n\nPBGC\xe2\x80\x99s goal is to preserve pension plans and keep the onus of paying benefits in the hands of\nplan sponsors. However, with ERISA authorization, PBGC sometimes initiates the termination\nof a pension plan when certain conditions occur, such as if the plan sponsor will be unable to pay\nbenefits when they are due, or the possible long-run loss to PBGC with respect to the plan may\nreasonably be expected to increase unreasonably if the plan is not terminated. 3 In order to\nprevent plan termination or to mitigate losses to PBGC and plan participants in the event a plan\nterminates, PBGC at times works with plan sponsors to obtain protections. PBGC typically\nnegotiates funding agreements, commonly referred to as settlements, through its Early Warning\n\n\n\n1\n    ERISA Section 4002(a)(2); 29U.S.C. \xc2\xa7 1302(a)(2)\n2\n    ERISA Section 4022(b); 29 U.S.C. \xc2\xa7 1322(b)\n3\n    ERISA Sections 4042(a)(2) and (a)(4); 29 U.S.C. \xc2\xa7 1342(a)(2) and (a)(4)\n\n\n1                                                                             AUD-2014-8/PA-11-80\n\x0cProgram (EWP) or through ERISA 4062(e) events. PBGC stated that, until recently, it entered\ninto agreements strictly through its EWP. Under the EWP, PBGC monitors financially\nunderfunded defined benefit pension plans to identify corporate transactions that could\njeopardize pensions and to attempt to negotiate protections for participants in those pension plans\nand the pension insurance program. But recent regulations enacted by PBGC on enforcement of\nERISA 4062(e), now allow PBGC to negotiate additional protections with plan sponsors which\nmust report a defined event. In general, a section 4062(e) event occurs when an employer ceases\nan operation at a facility in any location and, as a result of the cessation, more than 20 percent of\nthe total number of the employer\xe2\x80\x99s employees who are participants under a plan maintained by\nthe employer are separated from employment. 4\n\nCurrently, PBGC monitors plan sponsors through the EWP, though it is more likely to enter\nagreements under 4062(e) authority. In FY 2012, PBGC publicly reported monitoring more than\n1,000 plan sponsors to identify transactions that could pose significant risks to underfunded\nplans, and to arrange for sponsors to protect those plans financially. In FY 2012, the\nCorporation\xe2\x80\x99s Annual Report states they opened (PBGC may or may not enter into an agreement\nfor opened cases) 37 new investigations under the Early Warning Program and reached 2 EWP\nagreements. 5 When responding to our inquiry however, PBGC then reported to OIG that for FY\n2012 they reached 3 EWP agreements valued at $30.50 million. 6 The Corporation\xe2\x80\x99s FY 2011\nAnnual Report states that PBGC secured $195 million in increased protections in FY 2011 7,\nPBGC then reported to OIG a value of $279 million for 11 EWP agreements. Under its more\nfrequently exercised 4062(e) authority, PBGC reports that in FY 2012 it reached settlement with\n27 plan sponsors for approximately $471 million in additional protections to pension plans. In\nprior years, PBGC Annual Reports state that the Corporation opened 68 new 4062(e) cases in FY\n2011, as compared with 129 in 2010, 105 in 2009, and 40 in 2008. 8\n\nA negotiated funding agreement typically begins within the Corporate Finance and Restructuring\nDepartment (CFRD), formerly the Department of Insurance Supervision and Compliance\n(DISC), where pension plans that may pose an increased risk of loss are identified. 9 CFRD is\none of four units within PBGC\'s Office of Negotiations & Restructuring (ONR), which includes\nthe Office of Chief Counsel (OCC), the Standard Termination Compliance Division, and the\nMultiemployer Program Division. Under the EWP, CFRD monitors plan sponsors at risk and\nfocuses on transactions that pose a risk of long-run loss to PBGC\xe2\x80\x99s pension insurance program;\n\n\n\n4\n    ERISA Section 4062.8(a); 29 U.S.C. \xc2\xa7 1362(e)\n5\n    PBGC 2012 Annual Report, http://www.pbgc.gov/documents/2012-annual-report.pdf\n6\n    According to PBGC, one of the agreements executed provided no additional cash contributions.\n7\n    PBGC 2011 Annual Report, http://www.pbgc.gov/documents/2011-annual-report.pdf\n8\n    PBGC 2010 Annual Report, http://www.pbgc.gov/Documents/2010_annual_report.pdf\n9\n    ERISA Section 4062(a)(4); 29 U.S.C. \xc2\xa7 1342(a)(4)\n\n\n2                                                                                     AUD-2014-8/PA-11-80\n\x0cthis includes transactions by troubled plan sponsors 10 and by plan sponsors whose plans are\nunderfunded on a current liability basis. Agreements sometimes result from PBGC\xe2\x80\x99s monitoring\nof plan sponsors at risk. The activities of monitoring, modifying and enforcing agreements are a\njoint collaboration between CFRD and the OCC. Once an agreement has been executed between\nPBGC and the plan sponsor, CFRD is primarily responsible for monitoring the agreement to\nensure the plan sponsor is fulfilling the terms of the agreement. According to CFRD, if the plan\nsponsor is not able to meet the terms of the agreement, CFRD in collaboration with OCC will\neither enforce the agreement or renegotiate the terms so the pension plan can remain ongoing\nwith the sponsor.\n\nOIG requested and obtained from PBGC a listing of all active agreements (4062(e) and EWP)\nfrom FY 2000 through FY 2012. 11 From that listing, we selected and analyzed the agreements\nthat became effective within that time period. Our results revealed an increase in the agreements\nPBGC negotiates and settles. (See Figure 1) Reflecting the downturn in economic conditions,\nPBGC experienced a significant spike in the number and dollar amount of agreements after FY\n2006. 12 The incidence of agreements increased more than 70% between 2009 and 2010, and\npeaked between 2010 to 2011when they increased over 80%. Although the increases varied over\ntime, the recent trend continued to represent considerable potential liability for PBGC. Because\nPBGC did not assess or quantify the long-run impact of these funding agreements (See Finding\n2), it assumes that the total amount negotiated resulted in a reduction in PBGC\'s liability. Thus,\nthis recent trend could, in fact, result in greater liability for the Corporation. Therefore, it is\ncritical that PBGC provide adequate management oversight and internal controls in order to\nprovide effective monitoring and accurately inform participants on the projected funding that\nmaterialized.\n\n\n\n\n10\n     PBGC focuses on companies who are financially troubled or have a significantly underfunded pension plan.\n11\n  The PBGC-provided listing included all agreements active or in effect during our scope of FY 2000 through FY\n2012, which includes agreements that became effective during that time period, as well as agreements which were\nalready active with an established effective date prior to our scope.\n12\n  Per PBGC information, dollar spikes in FY 2007 and FY 2009 were largely due to a significant agreement\n($1.28B in FY 2007) and its renegotiation ($800M in FY 2009).\n\n\n3                                                                                     AUD-2014-8/PA-11-80\n\x0c                     Number of Agreements and Values PBGC\n                                Provided to OIG\n    $1,400                                                         $1,302.7\n\n    $1,200                                                                         $1,082.9\n    $1,000\n\n     $800\n                                                                                                    $646.8\n     $600                                                                                                    $522.7\n\n     $400                                                                                  $282.3\n                                                            $234.5\n              $155.0                 $165.0         $147.5                  $100.6\n     $200\n                       $35.0 $64.0            $15.4                                                 48       27\n              5        1     2     6          2     5      6         6      10     15      26\n         $0\n              2000     2001   2002   2003     2004   2005   2006     2007   2008   2009    2010     2011     2012\n\n              Number of Agreements EWP & 4062(e)            Amount of Protections (face value in millions)\n\n\nFigure 1 \xe2\x80\x93 A trend of increasing liability can be seen over time in the amount of agreements established annually.\nInformation in this chart contains 4062(e) and EWP agreements data, which was provided by PBGC. The information in\nthis chart may differ with data PBGC provides in its Annual Reports because PBGC does not comprehensively report\nboth types of agreement information, and because information provided to OIG may be more inclusive.\n\n\n\nObjectives, Scope and Methodology\n\nOur objective was to evaluate how PBGC monitors, enforces, and modifies negotiated funding\nagreements, including an assessment of how PBGC demonstrates accountability with respect to\nfulfillment of agreements. We determined how PBGC measures the effectiveness of negotiated\nfunding agreements and evaluated PBGC\xe2\x80\x99s use of information technology in recording, tracking\nand managing negotiated funding agreements, as well as PBGC\xe2\x80\x99s actions to ensure protection of\nsensitive data.\n\nOur audit took place in Washington, DC. The scope of our review included negotiated funding\nagreements in effect from FY 2000 to FY 2012 from which we selected a sample of agreements\nbased on active status as of 01/01/2008, modifications or dollar values greater than $200 million,\nand some based on press releases made within the scope (see Figure 1 & Figure 6 \xe2\x80\x93 for sampling\ndetail). By active status, we mean agreements that were in effect during our scope, which\nincludes:\n\n     \xe2\x80\xa2    agreements PBGC established within our scope, and therefore carry an effective date\n          between FY 2000 and FY 2012; and\n     \xe2\x80\xa2    agreements which PBGC established prior to our scope, which carry an effective date\n          established prior to FY 2000.\n\n4                                                                                       AUD-2014-8/PA-11-80\n\x0cAs a result, we reviewed 12 agreements.\n\nThe sample may not be representative of the entire population of agreements. We requested,\nobtained and assessed all forms of documentation associated with our sample of agreements in\norder to evaluate the controls over how PBGC monitors, enforces and modifies agreements.\n\nWe interviewed management and staff from PBGC\xe2\x80\x99s offices in CFRD and OCC. We also looked\nat the press releases associated with the agreements and interviewed Communications and\nPublic Affairs Department (CPAD) personnel on PBGC policies and procedures for making\nthese types of announcements. And, we evaluated internal controls in PBGC\xe2\x80\x99s activities for\nnegotiated funding agreements, as well as in TeamConnect, its computer system for agreement\ndata. We evaluated PBGC\xe2\x80\x99s practices against federal rules and regulations and PBGC\xe2\x80\x99s policies\nand procedures.\n\nThe audit was conducted in accordance with Government Auditing Standards, July 2007 and\nDecember 2011 revisions (note: auditing standards were updated during the time of our review)\nissued by the Comptroller of the United States, and applicable OIG policies and procedures.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our conclusions based on our\naudit objectives.\n\n\n\n\n5                                                                       AUD-2014-8/PA-11-80\n\x0cAudit Results\nFindings and Recommendations\n\nSection A - PBGC should develop a programmatic approach with consistent\nmanagement and internal controls for their processes of monitoring,\nenforcing, and modifying negotiated funding agreements.\n\nPBGC had not established a program whereby agreements are monitored, enforced and modified\nunder uniform guidelines with adequate oversight. Because management viewed each plan\nsponsor individually and each agreement as unique, PBGC had not established a consistent and\ncentrally-managed program with defined business processes and documented guidelines.\nConsequently, the agency had not established internal controls to provide reasonable assurance\nthat the terms of the agreements had been fulfilled and that the protections had been achieved as\nintended.\n\nFinding 1: During our audit period, we determined that PBGC had not developed\noverarching policies and procedures for monitoring, enforcing and modifying the\nagreements.\n\nPBGC had not established adequate processes and controls to effectively monitor, enforce and\nmodify the negotiated agreement activity. This occurred because PBGC viewed each plan\nsponsor individually and each agreement as unique, requiring a differential approach. The\nCorporation\xe2\x80\x99s inconsistent approach means it had not developed coherent standards to apply\nthroughout agreement activities conducted. PBGC\xe2\x80\x99s agreement activities lacked ownership,\naccountability, and a consistent approach. As a result, PBGC could not ensure that agreements\nwere monitored, enforced and modified on a consistent and transparent basis under uniform and\nequitable guidelines with effective internal controls.\n\nAgreements are primarily monitored, enforced and modified by two departments under PBGC\xe2\x80\x99s\nOffice of Negotiations and Restructuring: CFRD and OCC. Press releases, which publicly\nannounce many of the agreements, are handled by CPAD. PBGC press releases and annual\nreports place emphasis on the face value of the agreements, rather than the actual outcome of the\nagreements. We selected a sample of 12 plan sponsors for our review, 10 of which had press\nreleases announcing that the sponsors were contributing a total of $2.67 billion in additional\npension plan funding to their respective plans.\n\nPBGC provides CFRD and OCC with delegation of authority, which allows management in both\ndepartments to take official action on behalf of the Corporation, up to an agreed upon monetary\nthreshold. However, the delegation of authority does not ensure CFRD and OCC have a\ncoordinated and documented business process for monitoring, enforcing and modifying\n\n\n6                                                                       AUD-2014-8/PA-11-80\n\x0cagreements. PBGC management believed that the agreements process should be flexible and\nnimble due to the uniqueness of each plan sponsor\xe2\x80\x99s pension plan, taking a variable approach.\nHowever, we determined the lack of a coordinated and documented process has led to\nagreements being monitored, enforced, and modified without consistently applied methodologies\nand standards. Lack of coordination has negatively impacted PBGC\xe2\x80\x99s ability to retrieve critical\nagreement data and produce timely accurate reports to stakeholders. (See Finding 3)\n\nPBGC management stressed the importance of obtaining additional protections for the plans\nthroughout our review, but provided no evidence the Corporation ever performed adequate and\nconsistent analysis of its activities. PBGC could not provide adequate documentation evaluating\nthe impact of negotiated agreements on the participants\xe2\x80\x99 benefits and PBGC\xe2\x80\x99s liability if the plan\nsubsequently terminates. PBGC\xe2\x80\x99s response to our initial request for a listing of agreements\nrequired a labor intensive manual process to develop a cumulative listing. It took the\nCorporation nearly one month to compile the listing which was then subsequently modified due\nto recording and tracking inconsistencies and inaccuracies. PBGC has begun developing a\nprocess whereby all agreement data is stored in TeamConnect, the shared CFRD and OCC\napplication used to monitor agreements. Prior to the use of TeamConnect, records were\ninconsistent and PBGC\xe2\x80\x99s divergent method led to duplicative and irreconcilable data being stored\nacross various computer systems (including TeamConnect) in multiple file formats. (See\nFinding 3)\n\nWe selected 12 negotiated funding agreements with plan sponsors based on the following\ncriteria: eight from the PBGC-provided listing that were active as of 01/01/2008 and had a face\nvalue greater than $200 million, and four for which PBGC had issued a press release but which\ndid not appear on the listing.\n\nWe requested that CFRD provide all documentation for our sample agreements. Upon review of\nthe Corporation\'s records, we determined PBGC lacked adequate controls over management of\nthe activities for monitoring, enforcing and modifying the agreements. Specifically, OIG\nexpected PBGC to maintain some basic information regarding ongoing agreements, such as:\n\n    \xe2\x80\xa2   comprehensive ongoing analysis of risks, gains and/or losses to the Corporation, and/or\n        the potential effects of modifications on pension plans and participant benefits. (for our\n        sample of agreements)\n    \xe2\x80\xa2   the dollar amount owed for which PBGC had issued enforcement letters.\n    \xe2\x80\xa2   the dollar amount of protections indicated in the agreement that were actually received\n        by the plan.\n\nThough there are no metrics that quantify the dollars received, the then-Acting Director of CFRD\nprovided evaluations stating that \xe2\x80\x9cevery dime\xe2\x80\x9d that comes into the plans improves PBGC\xe2\x80\x99s\nfinancial position. The Acting Director indicated that financial analysts perform formal risk\nassessments at the time funding agreements are initially executed, which were reviewed and\nsigned by a CFRD reviewer. PBGC was unable to provide formal documented risk assessments\n\n\n7                                                                         AUD-2014-8/PA-11-80\n\x0cfor the agreements in our sample, as it relates to effectiveness; gains or losses in the event the\nplan is terminated. PBGC stated that risk assessments are conducted for new agreements only.\nOIG believes this type of analysis is beneficial throughout the agreement process.\n\nWe made similar observations regarding affordability analysis for agreement modifications.\nAfter PBGC and the plan sponsor enter into a negotiated funding agreement, PBGC can modify\nthe agreement if the plan sponsor states it cannot afford the agreed-to payments. With respect to\nagreement modifications, PBGC stated that it verifies the financial distress of the plan sponsor\nby performing an affordability analysis 13 and by reviewing relevant financial and pension\ninformation, including an assessment of a plan sponsor\xe2\x80\x99s profitability. Of our 12 sample\nagreements, 11 were modified but did not have an affordability analysis. Furthermore, our\nreview of agreement documentation revealed that 5 of the 12 plan sponsors did not have the\nrequired modification recommendation memo referred to by CFRD officials; this is the formal\nproposal made by the case team to management to support modifying the payment terms. Our\nreview of the 7 plan sponsors with recommendation memos showed inconsistent levels of effort\nand detail.\n\nIn addition, PBGC did not ensure meetings were documented where key decisions were made.\nFor example, PBGC could not provide meeting notes for the negotiations between PBGC and the\nplan sponsor that resulted in a modification whereby money due to the aforementioned pension\nplan was reduced to $800 million from the original amount of $1.2 billion. In most agencies,\npolicies, decisions, and commitments are frequently made in meetings, over the telephone, or by\nelectronic mail or facsimile transmission. To ensure that such policies and decisions are\nadequately documented, agencies should establish procedures that require personnel at all levels\nto document conversations and meetings dealing with significant program business by preparing\na dated and signed memorandum or form identifying the participants and summarizing the\nconversation or meeting. 14 Government-wide regulations issued by the National Archives and\nRecords Administration (NARA) require that full and accurate records of an agency\xe2\x80\x99s business\noperations and activities be created or captured and that the records be organized and maintained\nto ensure they are available in a usable format at all times. 15 In its guidance to all Federal\nagencies, NARA notes: \xe2\x80\x9cConducting Government business without adequate documentation\nincreases the possibility that, in time, all relevant facts may be unavailable or interpretations may\nbe distorted. As staff members leave, information that has not been documented will be lost to\nthe agency.\xe2\x80\x9d 16\n\n\n13\n  PBGC performs an affordability analysis to determine if the agreement needs to be modified, and reviews ad-hoc\nforms of documentation, such as business plans, bank books, historical financials, bank agreements, capital\nexpenditures, marketing materials, and the pension information needed to project pension contributions.\n14\n     http://www.archives.gov/records-mgmt/publications/agency-recordkeeping-requirements.html\n15\n     36 CFR \xc2\xa7\xc2\xa7 1220.32 and 1220.34.\n16\n Agency Recordkeeping Requirements: A Management Guide: http://www.archives.gov/records-\nmgmt/publications/agency-recordkeeping-requirements.html\n\n\n8                                                                                   AUD-2014-8/PA-11-80\n\x0cPBGC has taken a step to emphasize the importance of recording meeting discussions and\noutcomes by adding a reminder of the requirement to the electronic scheduling notice for\nconference rooms, including this message: \xe2\x80\x9c\xe2\x80\xa6verbal decisions must be documented in a manner\nthat is appropriate for conducting PBGC business.\xe2\x80\x9d\n\nWe observed that PBGC\xe2\x80\x99s knowledge of the negotiated agreements activity was stove-piped\nbased on individual employees\' understanding of how agreements should be processed due to the\nunique nature of each agreement. This contributed to PBGC\xe2\x80\x99s decentralized and inconsistent\napproach to managing agreements, and this also attributed to employees storing data in\ndecentralized locations.\n\nInternal controls within the business process are cornerstones to effective knowledge\nmanagement, program operation, and management oversight. At the time we initiated our\nreview, TeamConnect was recently implemented as CFRD\xe2\x80\x99s electronic record-keeping system.\nThe implementation was completed without adequately defining business processes and key\ncontrols upfront, which resulted in inconsistent document creation and filing. For example:\n\n    \xe2\x80\xa2   In testing how PBGC verified plan sponsors make required contributions to their pension\n        plans, we found documentation of payment verifications for 9 of 12 agreements in our\n        sample. This documentation was inconsistent in format and filing. Most financial\n        analysts stated they monitored the payments, but they provided no documentation\n        supporting the performance of periodic monitoring to identify and follow-up on missed\n        payments.\n    \xe2\x80\xa2   When PBGC identifies that plan sponsors have missed payments under the agreements,\n        the Program Manager and Lead Business Expert for the TeamConnect Application told us\n        that PBGC sends out enforcement letters. There were no enforcement letters issued for\n        the 12 agreements in our scope. However, we tested PBGC\'s tracking of enforcement\n        letters for other agreements and determined that PBGC\xe2\x80\x99s inconsistent file-naming\n        conventions hindered the Corporation\xe2\x80\x99s ability to track and report the amount of\n        enforcement letters and other types of critical documentation over time.\n    \xe2\x80\xa2   According to the TeamConnect Manager, payment information is entered into\n        TeamConnect and management can review what is entered at any given time. However,\n        when we interviewed a financial analyst who worked on an agreement modification, we\n        found that payment information was not entered, tracked and verified in TeamConnect.\n\nWhen agreements are modified, they are entered into TeamConnect as new agreements. In\naddition, they are not \xe2\x80\x9clinked\xe2\x80\x9d to the original agreement, resulting in modifications not\nappropriately designated in the system. Since agreement information is not readily available,\nthis condition makes it difficult for the Corporation to track and report on agreement\nmodifications from TeamConnect. PBGC has no assurance all necessary Federal records have\nbeen created and maintained; tracking and reporting modifications in TeamConnect may be a\nburdensome and time-consuming task, and management oversight may be difficult. This may\nresult in inaccurate, untimely, and unreliable data. Further, we would have expected that PBGC\n\n9                                                                      AUD-2014-8/PA-11-80\n\x0cobtained cancelled checks or wire transfer notifications as verification of payment, but we found\nthe Corporation accepted memos from the plan sponsor. For example, for one agreement, Plan\nSponsor A merely wrote to PBGC that it contributed $8.75 million to its plans. (See Figure 2)\nThis failure to obtain source documentation to verify that plan sponsors actually made the\nrequired payments to the pension plans was not limited to Plan Sponsor A, but was typical. As a\nresult, PBGC does not have adequate documented assurance that payments in the agreements\nwere fulfilled according to terms.\n\n Plan sponsor A                                                              Agreement           Payments\n                                                                             Balance             to Plan\n\n Agreement made and publicly announced by PBGC * (due                        $39\n over 6 years)\n\n Reported payments made by plan sponsor over a two year                                          $12.25\n period ($26.75 remained due on agreement) **\n\n Remainder due on original agreement                                         $26.75\n\n Agreement modification results in lesser amount due to                                          $11.5\n plan ***\n\n Modification means pension plan received $15.25 less than                   ($15.25)            $23.75\n PBGC reported in its public announcement\n\nFigure 2 \xe2\x80\x93 Agreement and modification example\n* The purpose of this chart is to highlight the lack of transparency between what the Corporation publicly announced and\nthe amounts actually received into the plan.\n** PBGC\xe2\x80\x99s reported payments, verified only with memos from plan sponsor.\n*** PBGC reports that at the time of the modification, the Unfunded Benefit Liability was $16 million.\n\nOur audit confirmed what one analyst stated: it is up to each individual to design the appropriate\nmethodology to monitor each plan sponsor based on the terms and conditions of the agreement.\nWe observed that this approach has metastasized over time, resulting in confusion and redundant\ndocumentation in TeamConnect. For example, one plan sponsor had over 9,000 total documents\nstored in TeamConnect, while another plan sponsor had only 37 total documents. While OIG\nrecognizes that different agreements will have varying levels of associated documentation,\nPBGC\xe2\x80\x99s approach did not ensure standard documentation was required for agreements in our\nsample. For example, no standard file structure was in place for document retention and filing.\nSimilarly, no standard naming conventions were in place. These inconsistencies resulted in\ndifficulties identifying documents and ensuring all necessary documents have been properly\ncreated and retained, especially in plans with voluminous documentation. Such inconsistency\ncan negatively impact both the operation and management oversight of the program. PBGC\nstated that new controls (described below) will mitigate data redundancy and inconsistencies.\n\n\n10                                                                                        AUD-2014-8/PA-11-80\n\x0cIn March 2013, CFRD implemented new procedures that PBGC management believes will\nenhance oversight and ensure increased consistency amongst agreements. These new procedures\nrequire that all agreement data is captured in TeamConnect, and establish activities to better\nmonitor agreements on an ongoing basis. Prior to March 2013, PBGC did not have controls in\nplace to ensure employees manage and maintain consistent documentation under uniform\nguidelines. While these new procedures are certainly a step in the right direction, OIG cannot\nstate that they are complete or effective; that will be established through application and\noperation over time.\n\nWhen PBGC takes action inconsistently and without adequate documentation, increased risks are\ncreated for the Corporation. One potential risk may be a litigation risk. Though PBGC reported\nit has not sought court-enforcement of an agreement in the past, conditions might arise in the\nfuture whereby PBGC may wish to file an enforcement action against the plan sponsor to compel\nagreed-to payments for the plan.\n\nNegotiated funding agreements are legal agreements that are enforceable under contract law. If\nPBGC should decide to enforce an agreement, PBGC\xe2\x80\x99s documentation of its monitoring,\nenforcing and modification of agreements may create additional challenges for the Corporation.\nFor example, it may decide it cannot bring the action because the analysis and decisions were not\ndocumented or were inadequately documented. Or, if the plan sponsor sought a modification of\nthe agreement, PBGC declined to modify, and the plan failed to pay, inconsistent documentation\nof PBGC\xe2\x80\x99s analysis and determination may adversely impact its enforcement action.\n\nRecommendation 1: Define, establish and implement a consistently managed program with\ndocumented and assigned responsibilities for staff and managers, including key controls such as\nsupervisory review and required standard documentation to ensure agreements are consistently\nmonitored, enforced, and modified under uniform and equitable guidelines.\n\nRecommendation 2: Train applicable staff in newly developed processes and TeamConnect\nrequired documentation, and ensure periodic management review to ensure effectiveness of\nestablished internal controls.\n\nRecommendation 3: Establish policies, procedures and controls which ensure that key\ndecisions made in PBGC meetings are adequately recorded and periodically reviewed by\nmanagement, according to federal records management regulations and PBGC policy.\n\n\nFinding 2: PBGC\xe2\x80\x99s performance measures did not successfully assess the\neffectiveness of negotiated funding agreements.\n\nPBGC had not established adequate performance measures which provide a meaningful\nassessment of the negotiated funding agreements program. Because management viewed each\nplan sponsor\'s circumstances individually and each agreement as unique, PBGC had not\nestablished measures that demonstrated a consistent approach or a centrally-managed program.\n\n\n11                                                                       AUD-2014-8/PA-11-80\n\x0cAs a result, PBGC could not definitively assess the effectiveness of agreements.\n\nAdequate performance measures provide management with a tool to evaluate overall program\neffectiveness. PBGC publicly reports two \xe2\x80\x9cmeasures\xe2\x80\x9d:\n\n        1. The dollar amount the plan sponsor agreed to contribute to the pension plan in the\n           original negotiated agreement; and\n        2. The number of plans and/or participants impacted by the agreement.\n\nWhile this data may be a measure of accomplishment, because PBGC did not routinely retain\ndocumentation of their negotiations and analysis, it is difficult to validate whether the particular\nnegotiated dollar amount was the best, or even a good, outcome. This resulted from PBGC\xe2\x80\x99s\nposition that any additional dollar contributed to the pension plan was a success; the pension plan\nremained ongoing. In addition, PBGC did not evaluate the actual value of protections achieved\nas a result of entering into an agreement \xe2\x80\x93 e.g., actual amount contributed to the plan vs.\npromised amount. For example, PBGC did not have tools in place to assess: if a plan\nsubsequently terminated after entering into an agreement, the extent to which the additional\ncontributions would cover increased benefits to participants because the plan remained on-going,\nor whether the additional payments reduced PBGC\xe2\x80\x99s liability. Of the 12 plan sponsors we\nreviewed, none had any formal analysis documenting the outcome of the agreement. As a result,\nthe Corporation could not quantify the outcome of the agreements for the plan participants,\nprovide documented assurance that agreements were fulfilled according to terms, or quantify a\nreduction in PBGC\'s liability in cases of subsequent plan termination.\n\nSimilar to OIG\xe2\x80\x99s observations, an official from PBGC\xe2\x80\x99s Strategic Planning and Evaluation\nDivision (SPED) stated there have been difficulties establishing performance metrics within the\nONR (the division under which CFRD operates). The SPED official indicated it has been\nchallenging to establish metrics because ONR\xe2\x80\x99s work is cyclical and relies on economic\nconditions. And the agreements may span 20 years, so the agency must first establish\nmeasureable time periods.\n\nIn Office of Management and Budget (OMB) Memorandum 10-24, Performance Improvement\nGuidance: Management Responsibilities and Government Performance and Results Act\nDocuments (6/25/10), 17 OMB provides guidance to Federal agencies on the Government\nPerformance and Results Act (GPRA) and other performance management activities. OMB\nstresses that the agency\xe2\x80\x99s strategic plan is critical for managing the agency and accomplishing the\nmission.\n\n        An agency\xe2\x80\x99s strategic plan is a valuable tool for communicating to agency managers,\n\n17\n  OMB 10-24 also provides strategies for ensuring performance information to lead, learn, and improve outcomes,\ncommunicate performance coherently and concisely for better results and transparency and strengthen problem-\nsolving networks that improve outcomes and performance management practices.\n\n\n\n12                                                                                   AUD-2014-8/PA-11-80\n\x0c         employees, delivery partners, supplies, Congress, and the public a common vision for the\n         future. It should inform agency decision-making about the need for major new\n         acquisitions, updated information technologies, hiring, skill development, and\n         evaluations. Strategic plans can also help agencies invite ideas and stimulate innovation\n         to advance agency goals. Above all, an agency\xe2\x80\x99s strategic plan should be used to align\n         resources and guide decision-making to accomplish priorities and improve outcomes.\n\nOMB further states that agencies need to translate the goals in their strategic plans to annual\nperformance targets that are updated annually as part of their budget submissions. Senior agency\nleaders are expected to hold goal-focused, data-driven reviews at least once every quarter to\nreview progress on their Priority Goals. As GAO stated in a report analyzing GPRA\xe2\x80\x99s\neffectiveness: \xe2\x80\x9cThe federal government should be able to demonstrate to the American Public\nthat it can anticipate emerging issues, develop sound strategies and plans to address them, and be\naccountable for the results that have been achieved.\xe2\x80\x9d 18\n\nIn PBGC\'s Strategic Plan, Goal 1 is to "Preserve Pension Plans and Protect Pensioners.\xe2\x80\x9d Within\nGoal 1, PBGC has established the following performance goal that is related to the work\nconducted by ONR - specifically CFRD and OCC - when it enters into negotiated funding\nagreements.\n\n         Performance Goal: Minimize Potential Losses from Financially Weak Sponsors\n         with Underfunded Plans\n\n         Strategy: We monitor companies with large pension plans for risky corporate\n         transactions, enforce section 4062(e) of ERISA relating to corporate downsizing events,\n         protect the program and participants in plan sponsor bankruptcies, terminate\n         underfunded plans when necessary, and pursue and defend against claims in litigation.\n\nFrom this overall Corporate Strategic Goal, performance goal and strategy set out in PBGC\xe2\x80\x99s\nStrategic Plan, the departments responsible for achieving or contributing to the goal would\ndevelop their own performance goals, strategies and metrics - in this case, ONR and then CFRD\nand OCC. When we examined PBGC\xe2\x80\x99s reporting on this performance goal and strategy in its\nannual performance reports, the annual budget submissions, and internal quarterly performance,\nwe found that PBGC was simply reporting numbers of companies with which it entered into\nnegotiated agreements and the unrealized face amounts. For example, PBGC said:\n\n     \xe2\x80\xa2   In the FY 2010 Annual Report and in the FY 2012 Congressional Budget Justification\n         (CBJ), it reached settlements with 20 companies for approximately $250 million;\n         (the CBJ stated it \xe2\x80\x9csecured funding of $250,000\xe2\x80\xa6.\xe2\x80\x9d);\n     \xe2\x80\xa2   In the FY 2011 Annual report and the FY 2013 CBJ, it \xe2\x80\x9cnegotiated $195 million in\n\n\n18\n   GPRA Has Established a Solid Foundation for Achieving Greater Results, GA-04-38 (March 2004)\nhttp://www.gpo.gov/fdsys/pkg/GAOREPORTS-GAO-04-38/content-detail.html\n\n\n13                                                                                AUD-2014-8/PA-11-80\n\x0c           increased protection for over 200,000 plan participants at risk from corporate\n           transactions, and secured $370 million on behalf of people in 40 plans whose companies\n           down-sized.\xe2\x80\x9d;\n       \xe2\x80\xa2   In the FY 2012 Annual Report, it \xe2\x80\x9cnegotiated $31 million in financial assurance to protect\n           more than 9,000 people in plans at risk from corporation transactions (2 companies), and\n           negotiated $471 million in financial assurance to protect 50,000 people whose companies\n           had downsized (27 companies).\xe2\x80\x9d\n\nIn addition, PBGC\xe2\x80\x99s quarterly performance assessments report this same data as \xe2\x80\x9cperformance\nmetrics.\xe2\x80\x9d This is performance data, not performance metrics. Moreover, it is not a final\nperformance outcome, but rather incomplete performance data because it does not account for\nmodifications in which PBGC agrees for the plan sponsor to pay a lesser amount than reported.\n\nWhen PBGC is in the situation of considering a negotiated agreement, it is because some event\nhas occurred that puts the pension plan at greater risk for underfunding and potential inability to\npay benefits. In these circumstances, PBGC must evaluate under ERISA whether it should take\nsteps to terminate the pension plan. PBGC will often agree to forgo terminating pension plans in\nreturn for the extra protections the agreements provide. However, without formal analysis of\noutcomes, PBGC cannot reasonably assess and value considerations it makes in relation to the\namount of protections actually achieved. For example, new participants and increased benefits\n(i.e., from additional vesting or new benefits) potentially add to the liabilities of the plans as they\ncontinue.\n\nWe recognize that PBGC cannot set a target for how many agreements it will enter into or the\nprotections it may negotiate. We also acknowledge that PBGC\xe2\x80\x99s first statutory mission in ERISA\nis to encourage the continuation of defined benefit pension plans and these negotiated funding\nagreements are a tool to accomplish this mission. 19 However, PBGC also has a responsibility to\nbe fiscally responsible and to terminate a plan when the \xe2\x80\x9cpossible long-run loss of the\ncorporation with respect to the plan may reasonably be expected to increase unreasonably if the\nplan is not terminated.\xe2\x80\x9d 20 Thus, PBGC should analyze data about the agreements it negotiates\nand develop some internal performance metrics to evaluate the efficacy of the agreements and\nthe impact of these agreements upon PBGC\xe2\x80\x99s liability. Only after analysis of empirical data can\nPBGC state with assurance that the program is accomplishing the desired outcome \xe2\x80\x93 greater\nprotection for employees in on-going plans and protection of PBGC\xe2\x80\x99s long-term financial\ncondition.\n\nRecommendation 4: Establish performance measures which reflect the effectiveness of the\nprogram and reevaluate data from the negotiated funding agreements in order to determine\ndifferences between EWP and 4062(e) trends over time, to adequately track the amount of\n\n\n19\n     ERISA 4002(a)(1), 29 U.S.C. 1302(a)(1)\n20\n     ERISA 4042(a)(4), 29 U.S.C. 1342(a)(4)\n\n\n14                                                                            AUD-2014-8/PA-11-80\n\x0cprotections achieved through the agreements, amount of modifications, and to identify required\ndocumentation. Performance measures should meet federal performance standards, PBGC\npolicy, and provide for transparent communication to key stakeholders and plan participants.\n\n\nFinding 3: PBGC lacked adequate structure for effective records management\nrelating to negotiated funding agreements.\n\nPBGC did not have a sufficient records management structure for storing and retrieving files\nrelated to agreements. This occurred because PBGC did not have documented processes and\nuniform guidelines for monitoring, enforcing, and modifying agreements. Employees were not\nproperly trained in records management or the use of the TeamConnect application. Moreover,\nundocumented business processes led to TeamConnect\xe2\x80\x99s inadequate system design. These\nconditions caused inconsistent use of TeamConnect and inconsistent naming conventions for\nrecords. Consequently, PBGC has no assurance all necessary Federal records have been created\nand maintained, management oversight is difficult, and retrieving data for the agreements can be\na burdensome and time-consuming task. This may result in inaccurate, untimely, and unreliable\ndata.\n\nAs a Federal entity, PBGC is subject to record-keeping requirements set forth in the Federal\nRecords Act 21 and the implementing regulations. Under 44 U.S.C. \xc2\xa7 3101, the head of each\nFederal agency must make and preserve records containing adequate and proper documentation\nof the organization, functions, policies, decisions procedures, and essential transactions of the\nagency. These records must be designed to furnish the information necessary to protect the legal\nand financial rights of the Government and of persons directly affected by the agency\xe2\x80\x99s activities.\nFurther, the statutory definition of \xe2\x80\x9crecords\xe2\x80\x9d in 44 U.S.C. 3301 is broad and includes:\n\n           all books, papers, maps, photographs, machine readable materials, or other documentary\n           materials, regardless of physical form or characteristics, made or received by an agency\n           of the United States Government under Federal law in connection with the transaction of\n           public business and preserved or appropriate for preservation by that agency or its\n           legitimate successor as evidence of the organization, functions, policies, decisions,\n           procedures, operations or other activities of the Government because of the informational\n           value of the data in them.\n\nThe Code of Federal Regulations at 36 CFR Part 1220 sets out record keeping requirements for\nFederal agencies. Section 1220.10(b) states Federal agencies are responsible for establishing\nand maintaining a records management program that complies with National Archives and\nRecords Administration and General Services Administration regulations and guidance. 22\n\n\n21\n     44 U.S.C. \xc2\xa7\xc2\xa7 3101- 3107\n22\n     http://www.gpo.gov/fdsys/pkg/CFR-2011-title36-vol3/pdf/CFR-2011-title36-vol3-sec1220-10.pdf\n\n\n15                                                                                   AUD-2014-8/PA-11-80\n\x0cPBGC\'s Interim Guidance, Records Management Program 23 states that departments must\nestablish and maintain a file plan and perform records management reviews. A file plan is a\nclassification scheme describing: different types of files maintained in an office; how they are\nidentified; where they should be stored; how they should be indexed for retrieval; and a reference\nto the approved records disposition schedule for each file.\n\nPBGC\xe2\x80\x99s Records Management Officer performed a Records Management Assessment of PBGC\nas a whole, as required by NARA in April 2010. He recommended that each PBGC department\ndevelop a file plan, however PBGC had not effectively enforced the records management\nreviews required by NARA and CFRD was unable to provide a sufficient file plan. When CFRD\nprovided us a logical data model in response to our request for a file plan, we found that\nagreements were not properly mapped to the responsible departments and key documents and\nprocess flows related to agreements were not included. PBGC subsequently provided us with\nanother file plan. However, the subsequent file plan did not contain retention schedules,\ndepartmental designations were undefined, and processes related to the files were unclear.\n\nPBGC did not have a comprehensive database for negotiated agreement data and at the time of\nour review, PBGC maintained files in various systems and locations such as:\n    \xe2\x80\xa2 Network drive;\n    \xe2\x80\xa2 TeamConnect;\n    \xe2\x80\xa2 CFRD\xe2\x80\x99s High-Tech Actuarial & Financial Management Pension System (CHAMPS);\n    \xe2\x80\xa2 Legal Edge for Windows (LEW);\n    \xe2\x80\xa2 Excel Spreadsheets; and\n    \xe2\x80\xa2 Hard copies in file cabinets.\n\nIn 2009, PBGC implemented TeamConnect, in part to address file inconsistencies. At the time\nof TeamConnect\xe2\x80\x99s rollout, the Corporation intended for the application to manage case\ndocumentation and workflow in line with proper enterprise architecture. Enterprise architecture\nestablishes an Agency-wide road map to achieve an agency\'s mission through optimal\nperformance of its core business processes within an efficient information technology\nenvironment. 24 PBGC expected to attain better coordination between CFRD and OCC with a\ncommon computer system. However, we found that TeamConnect reflects design faults, and an\nenterprise architecture which was not built to adequately support the monitoring, enforcement\nand modification of agreements. Upon requesting information, we observed PBGC personnel\nand conducted independent searches in TeamConnect, we determined information was not easily\nlocatable. At the time of our review, we observed that employees did not use TeamConnect in a\nuniform and consistent manner and users still relied heavily on network drives; therefore critical\ndata files were not being migrated into TeamConnect. As a result of TeamConnect\xe2\x80\x99s inadequate\n\n\n23\n     This document replaces Directive IM 15-1.\n24\n     http://www.gao.gov/assets/590/588407.pdf\n\n\n16                                                                        AUD-2014-8/PA-11-80\n\x0cdesign and inconsistent use, information in TeamConnect was not readily available when needed,\nand the integrity of information in TeamConnect may be compromised.\n\nPBGC developed a handbook and CFRD management said employees were instructed on the use\nof TeamConnect. However, elements of the processes associated with monitoring, enforcing and\nmodifying agreements were not well-defined; therefore, PBGC has recently implemented new\ncontrols to address the inconsistent usage of TeamConnect. CFRD employees previously stored\na significant amount of agreement data on a shared network drive, and a number of files were\nduplicated, leading to data redundancy and increased cost. (See Appendix B). This inconsistent\norganization of files on the shared network drive then continued into the transition to\nTeamConnect.\n\nWe also observed that files which are uploaded into TeamConnect are inconsistently named,\nresulting in a burdensome task when trying to locate specific documents. For example, we found\na memorandum used for payment verification in TeamConnect titled \xe2\x80\x9cRJ.pdf,\xe2\x80\x9d an Actuarial\nValuation Report (AVR) titled \xe2\x80\x9crjrenolds.pdf,\xe2\x80\x9d and a Form 5500 titled \xe2\x80\x9cR.J.pdf.\xe2\x80\x9d These three\ndocuments were among numerous documents related to this plan; none of these names would\nassist in locating these particular documents. Without naming conventions and specific titles,\ndocumentation identification and retrieval is a daunting task, with considerable risk that relevant\ndocuments cannot readily be found. This makes management oversight significantly more\ndifficult and can lead to decision making with incomplete information. Also, when staff changes\nultimately occur, PBGC will not be able to obtain legacy information, unless employees develop\na data dictionary or directory prior to departure.\n\nOMB Circular A-130 requires agencies to incorporate records management and archival\nfunctions into the design, development, and implementation of information systems. 25 Although\nPBGC\xe2\x80\x99s design documents for TeamConnect reflect the technical aspects of the system, we did\nnot see evidence that PBGC adequately defined and incorporated comprehensive business\nprocesses and records management for the negotiated funding agreements.\n\nRecently, PBGC developed new procedures regarding the use of TeamConnect and assigned a\nstaff member the responsibility of ensuring and verifying records are accurately maintained.\nPBGC focused on entering open agreement information into TeamConnect; older information\nfrom closed agreements, prior to 2008, may not be in TeamConnect. The Corporation\'s new\ncontrols are designed to address the inconsistent usage of TeamConnect going forward. These\nprocesses are steps in the right direction; however, they have not been in place long enough to\nadequately assess effectiveness.\n\nTeamConnect\xe2\x80\x99s development did not consider and effectively implement records management\nrequirements and enterprise architecture guidelines defined in OMB Circular A-130. As a result,\nTeamConnect was not used consistently and did not provide a reliable source of government\n\n\n25\n     OMB Circular A-130, Appendix IV para. 8a(1)(k), http://www.whitehouse.gov/omb/circulars_a130_a130trans4\n\n\n17                                                                                  AUD-2014-8/PA-11-80\n\x0crecords needed to support the negotiated funding agreements.\n\nRecommendation 5: Ensure that TeamConnect procedures adequately incorporate federal\nguidance and PBGC policies and procedures for records management, so that staff consistently\nstore, maintain and dispose of federal records.\n\nRecommendation 6: Perform and document annual records management reviews in\ncompliance with Federal standards and PBGC policy. Reassess the file plan to ensure all federal\nrecords have been identified.\n\n\nFinding 4: PBGC reporting of agreement information lacked transparency, standard\nprocedures and coordination.\n\nPBGC\xe2\x80\x99s communications regarding publicly reported negotiated agreement outcomes need\nimprovement. Agreement information was distributed on what could be perceived as an ad-hoc\nbasis. PBGC\xe2\x80\x99s reporting process was not transparent. This occurred because PBGC did not have\ncoordinated and documented processes for publishing agreement information and notifying\nstakeholders. As a result, PBGC lacks transparency in the information it reports to the public.\n\nAs noted above, the Corporation consistently reports the face value of the agreements in its\nannual performance reports and budget submissions, without effectively tracking and analyzing\nagreements or reporting subsequent results. For example, in PBGC\xe2\x80\x99s FY 2012 annual report, the\nCorporation identified that it reached settlement in 27 4062(e) agreements valued at\napproximately $471million. These numbers alone are problematic, because they do not tell the\nwhole story. Specifically, we would expect PBGC to track the amount of contributions to\npension plans over time against the face value of the agreements, taking into consideration any\nmodifications to the original agreement. Additional performance measures would then\ndemonstrate subsequent comparison of the program\xe2\x80\x99s output and outcome in order to judge the\nprogram\xe2\x80\x99s effectiveness. Minimally, we would also expect PBGC to quantitatively gauge the\nimpact of the program\xe2\x80\x99s outcome with an estimate of what would have happened in the absence\nof the agreement program.\n\nIn addition to reporting the initial dollar amounts as outcomes in statutorily-required reports;\nPBGC also issues press releases. PBGC announces large dollar protections it has negotiated\nwith a plan sponsor soon after entering into an agreement, but prior to fulfillment. PBGC knows\nfrom past experience that the contributions may not fully materialize. The Corporation has made\nthese announcements on an extemporized and informal basis and did not have associated policies\nor procedures directing officials when and how press releases should be issued for the\nagreements. Further, PBGC did not have a standard to issue a press release in the rare event the\nagreement is subsequently modified and the plan sponsor will be contributing less to the plan.\nFor example, PBGC published a press release in which they announced an agreement for $39\nmillion. However, PBGC did not similarly announce when the original agreement was modified\n\n\n18                                                                      AUD-2014-8/PA-11-80\n\x0cand $15.25 million of the $39 million never materialized. (See Plan Sponsor A in Figure 2)\n\nWhen making press releases, PBGC targets two audiences: plan participants and the media. The\nCorporation considers where a majority of participants in the plan live and runs ads in local\nnewspapers, and also reaches out to the press through trade and investment publications. CPAD\nevaluates the announcements based on how widely they are picked up and by what publications\nand/or media. According to PBGC officials, for negotiated funding agreement press releases,\nCFRD and OCC collaborated informally on the language and CFRD provided the numbers.\nThen CPAD would \xe2\x80\x9ccraft\xe2\x80\x9d the announcements, CFRD/OCC reviewed it, and the Director\nprovided final approval. We note that, of the 12 plan sponsors in our sample, 10 plan sponsors\nhad press releases totaling $2.67 billion. Further, the number of press releases to announce the\nagreements increased four-fold from 2007 to 2012. (See Appendix A)\n\nPBGC has recently implemented, the \xe2\x80\x9cCPAD Coordination\xe2\x80\x9d process designed to ensure CPAD\nand CFRD communicate early on in the process of determining whether an agreement should be\nannounced. The CPAD Director stated that PBGC developed the coordination document as a\nresult of this audit and because CPAD recognized that previous agreements were announced on\nan ad-hoc basis. OIG commends CPAD\xe2\x80\x99s proactive approach. We believe additional processes\nare needed, as it does not account for announcing the potential maximum dollar amount of initial\ncontributions in the settlement and subsequent modifications.\n\nPBGC does not report the actual outcome of the agreements, nor does the Corporation have\nstandards to report if any of the agreements were subsequently modified. Of our sample of 12\nagreements, 11 were modified. Agreement modifications varied, including monetary, notes, and\nstock. PBGC management said that participants can go at any time to the U. S. Securities and\nExchange Commission (SEC) filings of a particular plan sponsor to obtain the actual amount of\npension plan contributions. PBGC does not state in the press release that one should follow-up\non the plan\xe2\x80\x99s compliance with the funding agreement through SEC filings. Neither has PBGC\ndeveloped instructions or guidance directing participants to SEC filings. Additionally, when we\ntested some SEC filings, we found that SEC filings did not always contain up-to-date plan\ninformation. This condition provides unreasonable expectations of participants when PBGC\nhas, or should have the information in its possession in the event pension plan contributions are\nnot materialized or agreements don\'t reach fulfillment. PBGC\xe2\x80\x99s process lacks transparency. As a\nresult, PBGC lacks transparency in the information it reports to the public.\n\nTransparency in Federal government operations is important to accountability. OMB Circular\nNo. A-130, Management of Federal Information Resources, states: agencies must make\naccessible sufficient information to ensure the management and accountability of agency\nprograms. Agencies have a responsibility to provide information to the public consistent with\ntheir missions, and agencies must discharge this responsibility by helping the public locate\ngovernment information maintained by or for the agency. Additionally, President Obama\ncommunicated to all agency heads that he was committed to creating an unprecedented level of\nopenness in Government. In his memo, he stated:\n\n\n19                                                                       AUD-2014-8/PA-11-80\n\x0c         Transparency promotes accountability and provides information for citizens about what\n         their Government is doing. Information maintained by the Federal Government is a\n         national asset. My Administration will take appropriate action, consistent with law and\n         policy, to disclose information rapidly in forms that the public can readily find and use.\n\nTo implement the President\xe2\x80\x99s direction, OMB developed Guidance on Open Government and\nTransparency (OMB M-10-096), which directs executive departments and agencies to take\nspecific actions to implement the principles of transparency, because transparency promotes\naccountability by providing the public with information about what the Government is doing.\nPBGC is proactive in announcing initial negotiated funding agreement amounts, but is silent\nwhen those amounts are re-negotiated, contrary to transparent and open government required by\nOMB.\n\nRecommendation 7: Ensure policies implemented incorporate guidelines to promote\ntransparency for publicly reporting information regarding negotiated funding agreements,\nincluding criteria for when agreements, modifications and other relevant information will be\nincluded in press releases.\n\n\nSection B \xe2\x80\x93 PBGC\xe2\x80\x99s TeamConnect Application used to track the negotiated\nfunding agreements does not have adequate access controls.\n\nPBGC has recently completed a Security Authorization (SA) 26 (April 2013) for the TeamConnect\napplication. At the start of our review, an SA was not in place and we brought this matter to\nPBGC\xe2\x80\x99s attention. We commend the agency for being proactive and addressing this important\nsecurity control. However, we caution that TeamConnect\xe2\x80\x99s existing access controls were not\nconfigured or operating effectively and based on our review of the SA documentation, effective\nnew controls have not been implemented. As a result, sensitive proprietary information\nentrusted to PBGC is at risk of being leaked, stolen or otherwise compromised.\n\nFinding 5: TeamConnect does not have adequate access controls.\n\nPBGC did not limit access to TeamConnect on a need- to-know basis, with least privilege in\nmind. 27 This occurred because management of system security lacked oversight, control and\n\n\n26\n  Certification is a comprehensive analysis of information technology systems\' technical and non-technical security\ncontrols. Accreditation or "authorize processing" is the official management authorization for the operation of a\nsystem or application and is based on the certification process as well as other management considerations.\nhttp://csrc.nist.gov/groups/SMA/fasp/faqs.html\n27\n  The National Institute of Standards and Technology defines \xe2\x80\x9cneed-to-know\xe2\x80\x9d as a method of isolating information\nresources based on a user\xe2\x80\x99s need to have access to that resource in order to perform their job but no more. The terms\n\xe2\x80\x9cneed-to-know\xe2\x80\x9d and \xe2\x80\x9cleast privilege\xe2\x80\x9d express the same idea, but need-to-know is generally applied to people, while\nleast privilege is generally applied to processes.\n\n\n\n20                                                                                      AUD-2014-8/PA-11-80\n\x0cownership. As a result, sensitive proprietary information entrusted to PBGC is at risk of being\nleaked, stolen, or otherwise comprised.\n\nWe learned that social security numbers and confidential business information within\nTeamConnect were not protected with least privilege controls. We met with the system owner\nfor TeamConnect who stated that all users could see everything (i.e., with \xe2\x80\x9cread-only\xe2\x80\x9d access)\nbecause access controls for TeamConnect were not yet fully implemented. Additionally, the\nsystem owner was unaware of the full scope of sensitive information within TeamConnect.\nSubsequently, PBGC completed a TeamConnect Privacy Impact Assessment (PIA) whereby it\nbelieves all relevant privacy information is outlined.\n\nFurther analysis of the access control listing showed that PBGC employees and contractors from\nover a dozen different departments including CFRD, Benefits Administration & Payment\nDepartment (BAPD), Financial Operations Department (FOD), and Policy Research and\nAnalysis Department (PRAD) had \xe2\x80\x9cnormal access.\xe2\x80\x9d That is, normal users may add or update\nrecords in specified objects, but have no delete, tool access or security access rights. We\nconducted application control testing with two users, an OCC attorney and a CFRD actuary.\nBoth employees demonstrated they had privileges which exceeded read-only access and were\nable to upload documents into matters that were not assigned to them, thus superseding their\nneed-to-know and least privileges. Further, OIG was provided with guest privileges to\nTeamConnect for the purpose of reviewing agreement documentation, but this access was not\nrestricted from uploading documents. Regarding access privileges, NIST standards state that\norganizations should apply the concept of \xe2\x80\x9cleast privilege,\xe2\x80\x9d only allowing authorized access to a\nuser that is necessary to accomplish assigned tasks in accordance with organizational missions\nand business functions.\n\nWhen PBGC analyzes access privileges for TeamConnect, it may decide that persons in multiple\ndepartments require access to relevant documents. But, such determination should be fully\ndocumented and limited on a need-to-know basis with established protections against\nunauthorized changes.\n\nAt the time of our review, PBGC\xe2\x80\x99s Information Assurance Handbook (IAH), Volume I, Section II\nwas the applicable guidance; it stated PBGC must review user accounts every 30 days and match\npersonnel files to user accounts daily to ensure individuals who no longer work at PBGC don\xe2\x80\x99t\nretain their access. OMB Circular A-130, Management of Federal Information, states that\nagencies shall safeguard information with protection commensurate with the risk and magnitude\nof the harm that would result from the loss, misuse, or unauthorized access to or modification of\nsuch information. 28 We reviewed the TeamConnect user access listing and found that two\nemployees (including one contractor) who should have been removed from the application\nwithin 30 days were not removed timely. The separated PBGC contractor retained an active\n\n\n28\n     http://www.whitehouse.gov/omb/circulars_a130_a130trans4\n\n\n21                                                                        AUD-2014-8/PA-11-80\n\x0cTeamConnect account for 3 months after separation. A federal employee separated December\n31, 2010, but PBGC did not ensure access was removed until April 25, 2011. PBGC has since\nimplemented new security standards 29 and additional controls to review user access on a periodic\nbasis.\n\nPer OMB, agencies must safeguard sensitive information by limiting access to only those\nindividuals who must have such access. 30 PBGC employees and contractors are responsible for\nall sensitive information obtained by them in the course of performing official duties, whether in\nelectronic or hard copy format, and must treat such information in a manner that will prevent it\nfrom being accessed by or disclosed to a person or entity who is not authorized to receive it. 31\nAccording to GAO standards, people are what make internal control work, and although the\nresponsibility for good internal control rests with all managers, all personnel in the organization\nplay an important role. Recent events such as the WikiLeaks and the NSA spy scandal 32 have\nbrought to the forefront the importance of internal and access controls, especially for personnel\nwith powerful account privileges. Without well-designed and implemented controls, PBGC\nsensitive data is at risk and PBGC cannot provide reasonable assurance that corporate sensitive\ndata entrusted to PBGC is appropriately protected.\n\nRecommendation 8: Establish roles within TeamConnect and limit access to the TeamConnect\napplication on a need-to-know basis in accordance with NIST standards and PBGC security\nstandards.\n\n\n\n\n29\n  PBGC\'s Access Control Standard, STD-01-32, requires that information system owners identify authorized users\nof information systems and specify access privileges.\n30\n     OMB M-07-16, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf\n31\n     PBGC Directive IM 10-3, Protecting Sensitive Information (4/23/08)\n32\n     http://www.gsnmagazine.com/node/22133\n\n\n22                                                                                  AUD-2014-8/PA-11-80\n\x0cAppendix\tA:\t\tAgreements\tAnnounced\tby\tPBGC\tby\tCalendar\tYear\t\t\n\n\n\n               Agreements\xc2\xa0Announced\xc2\xa0by\xc2\xa0PBGC\xc2\xa0by\xc2\xa0Calendar\xc2\xa0\n                                Year\n 9\n                                                                                                 8\n 8\n                                                                                          7\n 7\n\n 6\n\n 5\n\n 4\n\n 3\n                            2                                                      2\n 2\n                                       1                 1                   1\n 1\n         0        0                            0                     0\n 0\n       2000      2001     2002        2003   2004       2005        2006   2007   2008   2009   2010\n                                                    Calendar\xc2\xa0Year\n\nFigure 3 \xe2\x80\x93 Increase in PBGC Announcements of Negotiated Funding Agreements\n                                  \t\n\n\n\n\n23                                                                                AUD-2014-8/PA-11-80\n\x0cAppendix B: Number of Documents in TeamConnect by Plan Sponsor\n\n\n Plan sponsor          Number of Documents in TeamConnect\n\n A                     4,801\n\n B                     9,234\n\n C                     50\n\n D                     168\n\n E                     0 (zero)\n\n F                     6,027\n\n G                     7,416\n\n H                     37\n\n I                     114\n\n J                     74\n\n K                     501\n\n L                     66\n\nFigure 5 \xe2\x80\x93Variances in TeamConnect documentation\n\n\n\n\n24                                                          AUD-2014-8/PA-11-80\n\x0cAppendix C: Amount of Protections Announced by PBGC\n\n\n Plan            Press Release          Amount Announced\n sponsor\n                                         (in Millions)\n\n A               Yes                    $39\n\n B               Yes                    $1,200*\n\n B               Yes                    $800*\n\n C               Yes                    $39.3\n\n D               No\n\n E               Yes                    $17.70\n\n F               Yes                    ----\n\n G               Yes                    ----\n\n H               Yes                    $153\n\n I               Yes                    $400\n\n J               Yes                    $17.5\n\n K               Yes                    ----\n\n L               No\n\n Total                                  $2,666.5\n\nFigure 6 \xe2\x80\x93 Amount of protections publicly announced by PBGC for the agreements in our sample\n*PBGC modified the agreement with Plan sponsor B two years later and made a second press release.\n\n\n\n\n25                                                                                      AUD-2014-8/PA-11-80\n\x0cAppendix D: Comments from the Pension Benefit Guaranty Corporation\n\n\n\n\n26                                                    AUD-2014-8/PA-11-80\n\x0cAppendix D: Comments from the Pension Benefit Guaranty Corporation\n\n\n\n\n27                                                                   AUD-2014-8/PA-11-80\n\x0cAppendix D: Comments from the Pension Benefit Guaranty Corporation\n\n\n\n\n28                                                                   AUD-2014-8/PA-11-80\n\x0cAppendix D: Comments from the Pension Benefit Guaranty Corporation\n\n\n\n\n29                                                                   AUD-2014-8/PA-11-80\n\x0cThis page intentionally left blank.\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c'